Why Cyber Insurance Now Requires Multi-Factor Authentication

By Hoffman Brown Company | , , | No Comments
Share This:

Today, most insurers won’t offer cyber insurance to clients who have not implemented multi-factor authentication (MFA) in their information technology (IT) systems. Without MFA, bad actors with stolen passwords and user names can easily impersonate your employees and illegally access your network.

What Is User Authentication?

Authentication is a standard access requirement for most software and hardware systems. It’s a means for a system to verify the identity of any user requesting access. For example, when you activate authentication on your phone, you’ll have to supply a secret combination to use it. However, that would be “single-factor,” so to speak, because there’s only one layer of security.

What Does Multi-Factor Authentication Mean?

With MFA, a computing system requires more than just a password and user name to authenticate users. For your employees to access your business software, they’d have to supply or have access to something else known only to them. In a typical cloud-based or on-premises system, MFA can be implemented in different ways, such as:

  • Requiring users to know something else, such as the name of their first pet or their father’s middle name.
  • Requiring users to have something else. For example, when a user supplies the correct login details, a time-sensitive, one-off secret code may be sent to their phone via SMS. They’ll have to enter the code to be allowed into the system.
  • Requiring fingerprint or other forms of biometric identifiers.

Where Do You Have to Implement MFA to Get Cyber Insurance?

You’ll need to implement MFA controls in these digital user authentication scenarios:

Remote access: MFA helps improve IT security if you allow any employee to access company networks from their home or other remote locations.

Administrative access: MFA can make it difficult to impersonate system administrators or other users with advanced system privileges.

Email access: MFA helps fortify email security, considering that most user accounts are linked to emails. A breached account can be used to make unauthorized password resets and other changes to system configurations.

Why MFA Is Now Mandatory for Cyber Insurance Protection

If you’re looking to purchase cyber insurance, implementing MFA isn’t a suggestion anymore. Without it, most insurers consider your business too risky to cover.

MFA has proven to be very effective in minimizing the risk of cyberattacks. Implementing it eliminates the utility of stolen passwords, making you a low-risk insurance client. According to Microsoft, the technique can thwart over 99.9% of account hacking attempts.

If a criminal managed to steal valid user names and passwords, they would still need access to the user’s personal device, fingerprints, or unique personal information to be allowed into the system. What is the likelihood of a random cyber attacker having your smartphone and login details at the same time? It’s virtually zero. The same is true for attackers simultaneously stealing your password and knowing your personal details like your first pet’s name.

With MFA in place, several cyber hacking tools or methods become highly ineffective. Examples include:

  • Stealing passwords through phishing.
  • Using keyloggers to secretly capture passwords as the user types them on the keyboard.
  • Brute force attacks that involve guessing login details by trial and error. While you can prevent this by limiting wrong password entries to just three, there’s always that small chance that an attacker could get it right the first or second time. MFA would halt their progress right away.

Now you know why implementing MFA is a key pre-qualification for cyber insurance coverage. If you have any questions about data breach policies, contact Hoffman Brown Company today. We’re happy to help you find cyber liability coverage that suits your needs.